SOCRadar® Cyber Intelligence Inc. | CISA Alert: Serious Vulnerabilities in Adobe ColdFusion (CVE-2023-44350, CVE-2023-44351, CVE-2023-44353 and More)
Home

Resources

Blog
Nov 23, 2023
4 Mins Read

CISA Alert: Serious Vulnerabilities in Adobe ColdFusion (CVE-2023-44350, CVE-2023-44351, CVE-2023-44353 and More)

CISA has issued an alert regarding multiple vulnerabilities impacting Adobe ColdFusion. The alert underscores that the exploitation of the vulnerabilities could grant threat actors control over affected systems, prompting organizations to take measures to protect their systems.

Adobe ColdFusion serves as a rapid scripting environment for developing dynamic internet applications on both web and mobile platforms, utilizing ColdFusion Markup Language (CFML).

The security update addresses a range of vulnerabilities, including critical, high, and medium severity issues. These vulnerabilities have the potential to enable threat actors to access specific endpoints or execute arbitrary code, without requiring user interaction.

Which Versions of Adobe ColdFusion Are Vulnerable?

Adobe has issued the most recent security patches for ColdFusion were an advisory, on November 14, 2023. The advisory identifies vulnerabilities in the following versions of Adobe ColdFusion 2021 and 2023:

Product

Affected Versions

ColdFusion 2023

Update 5 and earlier versions

ColdFusion 2021

Update 11 and earlier versions

Details of the Vulnerabilities

Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are susceptible to multiple vulnerabilities. Four of these vulnerabilities, ranging from high to critical severity, can be exploited without requiring any user interaction:

CVE-2023-44351 (CVSS Score: 9.8, Critical): This vulnerability involves the deserialization of untrusted data, creating a significant risk of arbitrary code execution.

Vulnerability card for CVE-2023-44351 (SOCRadar Vulnerability Intelligence), adobe coldfusion
Vulnerability card for CVE-2023-44351 (SOCRadar Vulnerability Intelligence)

CVE-2023-44350 (CVSS Score: 9.8, Critical): Similar to the first, this vulnerability is linked to the deserialization of untrusted data, posing a critical risk of arbitrary code execution. It is worth noting that the severity rating for CVE-2023-44350 is 9.1 in the Adobe advisory.

Vulnerability card for CVE-2023-44350 (SOCRadar Vulnerability Intelligence), adobe coldfusion
Vulnerability card for CVE-2023-44350 (SOCRadar Vulnerability Intelligence)

CVE-2023-44353 (CVSS Score: 9.8, Critical): Yet another deserialization vulnerability, posing a critical risk of arbitrary code execution. The severity rating for CVE-2023-44353 is 5.3 according to the Adobe advisory, but the National Vulnerability Database (NVD) rates it as critical.

Vulnerability card for CVE-2023-44353 (SOCRadar Vulnerability Intelligence), adobe coldfusion
Vulnerability card for CVE-2023-44353 (SOCRadar Vulnerability Intelligence)

CVE-2023-26347 (CVSS Score: 7.5, High): Involving an improper access control, this vulnerability carries a high severity risk. It could lead to a security feature bypass, allowing unauthenticated attackers to gain access to administration CFM and CFC endpoints.

Vulnerability card for CVE-2023-26347 (SOCRadar Vulnerability Intelligence), adobe coldfusion
Vulnerability card for CVE-2023-26347 (SOCRadar Vulnerability Intelligence)

The remaining two vulnerabilities require user interaction, posing a challenge in exploitation; thus, they are rated with medium severity.

CVE-2023-44352 (CVSS Score: 6.1, Medium): It is identified as a reflected Cross-Site Scripting (XSS) vulnerability. In the event an unauthenticated attacker successfully persuades a victim to visit a URL linked to a vulnerable page, it opens the door for the execution of malicious JavaScript content within the victim’s browser.

CVE-2023-44355 (CVSS Score: 4.3, Medium): It is a vulnerability related to Improper Input Validation that could enable an unauthenticated attacker to impact a minor integrity feature. However, exploiting this vulnerability requires user interaction.

Apply the ColdFusion Updates by Adobe

 Adobe has released patches to address the vulnerabilities in the following versions:

Product

Fixed Version

ColdFusion 2023

Update 6

ColdFusion 2021

Update 12

Adobe assigns a priority level of 3 (out of 3) to the update for the ColdFusion vulnerabilities in the advisory. Interestingly, this designation suggests that, although Adobe has issued updates, there is no evidence of exploitation for the mentioned vulnerability/vulnerabilities, and historically, the specific product has not been a target of attacks. As a result, Adobe advises administrators to exercise discretion when deciding to install the updates.

Proactive Vulnerability Monitoring and Management with SOCRadar

Utilizing the Attack Surface Management (ASM) module, you can proactively monitor emerging vulnerabilities across your digital assets. Receive timely threat alerts and efficiently manage patching efforts to mitigate potential impacts.

SOCRadar Company Vulnerabilities
SOCRadar Company Vulnerabilities

With SOCRadar’s Vulnerability Intelligence, you can gain insights into hacker trends, access specific vulnerability details, and updates, along with their SVRS score (SOCRadar Vulnerability Risk Score). This score offers a comprehensive understanding of a vulnerability’s popularity and the probability of exploitation.

SOCRadar Vulnerability Intelligence
SOCRadar Vulnerability Intelligence